CVE-2025-9983 HIGH

CVE-2025-9983: Lack of Authentication for RTSP stream

Vendor Galayou
Product G2
Weakness CWE-306 · Missing auth
Published September 22, 2025
Last update September 22, 2025

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GALAYOU G2 cameras stream video output via RTSP streams. By default these streams are protected by randomly generated credentials. However these credentials are not required to access the stream. Changing these values does not change camera's behavior. The vendor did not respond in any way. Only version 11.100001.01.28 was tested, other versions might also be vulnerable.

Key dates

02Disclosure timeline

September 22, 2025 CVE published
September 22, 2025 Record updated